Privacy policy for contractors

This information applies to personal data which are collected by Echo Investment SA (the ‘Administrator’ or ‘we’) as administrator of personal data, the ways in which they are used as well as the rights of individuals related to the collection and use of such data. If you have any questions or comments, please contact rodo@echo.com.pl.

In order to conduct business, the Administrator collects and uses information identifying individuals (also called ‘personal data’), including information about persons cooperating with the Administrator.

As part of our commitment to the protection of personal data we would like to clearly inform you why and how the administrator collects, uses and stores your personal data and what your rights and our obligations are in connection with the processing.

1. The scope of information

In this clause the Administrator reports all forms of the use of personal data (the ‘processing’) in relation to individuals who are:

a) suppliers or contractors, including potential ones, of the Administrator;

b) contractors of the Administrator's clients e.g. appraisers who collect apartments on behalf of clients or architects who are included in the process of tenant changes by clients, etc;

c) partners, employees, statutory representatives, proxies or representatives of such suppliers or contractors; and

d) other people whose data we process for the purpose of issuing or processing invoices
(jointly ‘you’ or ‘Contractors’).

2. Types of personal data

2.1. Data provided by the Contractors

In connection with the cooperation between you and the Administrator, we may process personal details you provide, such as:

a) name and surname, PESEL number,

b) the company, business address and correspondence addresses, NIP or REGON number,

c) contact details such as e-mail address or telephone or fax number,

d) position you occupy within your organization,

e)specific identification numbers which are not general numbers (e.g. service card number);

f) bank account number.

In the case of concluding the contract directly between you and the Administrator, the provision of the above data is voluntary, but necessary for the conclusion of the contract and servicing cooperation between you and the Administrator. In the event you do not enter into a contract with the Administrator directly, providing personal data may be obligatory.

The consequence of not providing data is the lack of possibility for the Administrator to perform actions (e.g. failure to provide data may result in no possibility to implement tenant changes).

2.2. Data collected from other sources

The administrator may also collect your personal data from other sources such as:

i. the CEIDG or KRS registers of entrepreneurs – in order to verify information provided by Contractors. In this case the scope of the processed data will be limited to data available to the public in the relevant registers;

ii. entities in which you are employed or which you represent. The scope of data processed will include information necessary for the implementation of the contract between the Administrator and such entity e.g. information about the termination of your employment with a given entity, change of contact details or change of office;

iii. internal databases kept by the Administrator or subsidiaries, the list of which is available at https://en.echo.com.pl/s,119,lista-spolek-zaleznych.html (hereinafter referred to as the ‘Echo Group’). This applies to data enabling contact with a specific Contractor who has already provided services or delivered goods to one of the companies from the Echo Group.

3. Legal basis, goals and periods of data processing

3.1. Legal basis for data processing

We cannot process personal data if we do not have a valid legal basis. Therefore, we process personal data only if:

a) the processing is necessary to fulfil contractual obligations towards you, if you are a party to the contract concluded with the Administrator;

b) the processing is necessary in order to fulfil our legal obligations e.g. the obligation to issue an invoice or other document required by law, or explicitly requires us by law (this applies to the disclosure of data to Contractors at the request of competent authorities or courts);

c) the processing is necessary for the execution of legitimate interests of the Administrator or a third party and it does not unduly affect your interests or fundamental rights and freedoms. Please note that when processing personal data on this basis, we always strive to strike a balance between our legitimate interests and your privacy.

Such legitimate interests are:

i. concluding and implementing contracts with Contractors which are organizational units without legal personality or legal persons;

ii. establishing or pursuing civil law claims by the Administrator as part of the conducted activity as well as defending against such claims;

iii. verification of contractors in public registers;

iv. verification of the identity of persons employed in entities cooperating with the Administrator e.g. suppliers, couriers, architects, etc .;

v. contact with the Contractors, including keeping internal registers of the Contractors in order to enable the Administrator to contact the Contractors;

vi. basic exchange of data on Contractors through IT systems used in the Echo Group.

3.2. Objectives and periods of data processing

Personal data are processed only for a specific purpose and to the extent necessary to achieve it and for as long as it is necessary. The goals that the Administrator accomplishes through the processing of personal data and the periods during which the data are processed are listed below.

Purpose of processing Processing period
Fulfilling contractual obligations Duration of the contract between the Contractor and the Administrator
Verification of the identity of persons employed in entities cooperating with the Administrator. Duration of the contract between the entity employing a given person and the Administrator or until the employment of such person ceases
Exchange of data on contractors in the Echo Group. The period for which data on contractors are processed for other purposes
Archiving data on the basis of generally applicable laws such as the Accounting Act and the Tax Ordinance Act The period indicated in the relevant regulations; as a rule –  5 years from the end of the calendar year in which e.g. invoicing, contract termination, etc. occurred

Notwithstanding the above periods, your data may be processed by the Administrator for the purpose of determining or pursuing by the Administrator civil claims in the course of their activity as well as defending against such claims – for appropriate periods of limitation of such claims i.e. in principle no longer than for six years from the occurrence of the event resulting in the claim.

4. Provision of personal data

4.1. Transmission of personal data within the Echo Group

We may transfer personal data to our employees as well as to other entities related to the Echo Group. A full list of companies from the Echo Group which the Administrator can provide Contractor's data to is available at https://en.echo.com.pl/s,119,lista-spolek-zaleznych.html.

4.2. Transfer of personal data outside the Echo Group

Data may be transferred to recipients and other third parties in order to meet the objectives listed in item 3.2 to the extent that they are necessary for them to perform the tasks ordered by the Administrator if required by law or if the Administrator has a different legal basis. The recipients or other third parties may be deemed to be:

a) entities processing personal data at the request of the Administrator, such as IT systems suppliers or entities providing document archiving services;

b) all national public administration bodies (e.g. the Police), authorities of other EU Member States (e.g. bodies appointed to protect personal data in other Member States) or courts, if required by applicable national or EU law or at the request of these authorities;

c) courier or postal service providers;

d) other people within the organization of the given Contractor;

e) business partners, who are to acquire from Echo Group whole or part of business or each of the assets (also in course of reorganization or liquidation);

f) investors, who acquire shares in Echo Group companies.

4.3. Data transfer outside the European Economic Area

Personal data transferred within or outside Echo Group may also be processed in a country outside the European Economic Area (‘EEA’). At present the Administrator may transfer your personal data to Sri Lanka for purposes necessary to perform his business, as a result of the cooperation of the Administrator with IFS Industrial and Financial Systems Poland sp. z o.o., the supplier and maintainer of the IFS financial and accounting application.

In this respect, the appropriate level of protection was not determined by the European Commission by way of a decision but the data are adequately protected by standard data protection clauses adopted by the European Commission by way of a decision of the Commission of 5 February 2010 on standard contractual clauses on data transmission to personal data processors established in third countries under Directive 95/46 / EC of the European Parliament and of the Council (2010/87/EU) which are adequate safeguards for the transfer of data to countries such as Sri Lanka in accordance with 46 section 2 of GDPR.

You can also ask for additional information regarding the transfer of data outside the EEA and obtain a copy of the relevant security, using your rights stipulated in item 5.

5. Rights of the Contractors and the use of these rights

5.1. The rights

Each person has the right to access their personal data processed by the Administrator. If you believe that any information about you is incorrect or incomplete, please file a rectification as described in section 5.2 below. The administrator shall promptly correct such information.

Furthermore, you have the right to:

a) withdraw your consent in the event that the Administrator obtained such consent for the processing of personal data (the withdrawal does not violate the lawfulness of data processing carried out prior to the withdrawal);

b) request removal of your personal data in cases provided by the provisions of the GDPR;

c) request to limit the processing of your personal data in cases provided for in GDPR;

d) express objection – for reasons related to your special situation – to the processing of your personal data (including profiling), if such processing is carried out in order to serve the public interest or legitimate interests of the Administrator or a third party;

e) transfer your data i.e. receive personal data provided to the Administrator in a structured, commonly used and readable machine format, and to request such personal data to be transferred to another controller of personal data, without any interference on the part of the Administrator and subject to its own confidentiality obligations;

f) obtain a copy of the security – this applies to cases of transfer of personal data outside the EEA.
The administrator will verify your requests, demands or objections in accordance with the applicable provisions on the protection of personal data. However, it should be remembered that these rights are not absolute and the provisions provide for exceptions to their implementation.

In response to your request, the Administrator may ask you to verify your identity or provide information that will help you understand the situation better. The administrator will make every effort to explain their decision to you if your requests are not met.

5.2. Using your rights

You may use your rights by applying a proper request on the Address of Administrator’s HQ or by a contact form on the website https://en.echo.com.pl/s,120,formularz-kontaktowy.html.

If you are not satisfied with the way in which the Administrator processes your personal data, please let us know about the problem and we will investigate any irregularities that have occurred. Please report your concerns using the contact details provided above.

If you have reservations about the Administrator's response, there is also the possibility of submitting a complaint to the competent authority for the protection of personal data. In Poland this body is the President of the Office for Personal Data Protection.

In order to ensure the validity and accuracy of personal data, we may periodically ask you to check and confirm the personal data we hold about you or to inform us of any changes to the personal data (such as change of e-mail address). We encourage you to regularly check the correctness, validity and completeness of the personal data being processed.

6. Updates to the information clause

This clause was updated on 25 May 2018 and may be subject to further changes. If it is required by law, all information regarding future changes or additions to the processing of personal data described in this clause that may apply to you will be communicated to you through the appropriate form of communication usually used by the Administrator in dealing with Contractors.

This site uses cookies.
We use information collected via cookies to give you the best experience on our website. Cookies may also be used by our cooperating research companies and advertising agencies. If you agree to store information contained in cookies, click on the “x” at the upper right of this communication. If you disagree, you can change settings of cookies in web browser options.
I understand